Italy & SwitzerlandUpdated ·
The Cybersecurity Newspaper
On the wireMicrosoft Patch Tuesday with active zero-days // Wave of critical multi-vendor patches // SonicWall SMA 1000 zero-day under attack // AsyncAPI compromised in the npm supply chain
Microsoft Patch Tuesday with active zero-daysZero-day
● Top story — Zero-day

Microsoft Patch Tuesday with active zero-days

Microsoft released its monthly July 2026 update with an unprecedented volume of fixes, cited by various sources as 621, 622, or more than 570 vulnerabilities, including multiple flaws already being exploited in attacks. Among the affected areas are SharePoint, RDP, Hyper-V, Active Directory Federation Services, and other components widely deployed in enterprise and government environments.

Read more

The presence of already active zero-days makes the risk window immediately tangible, especially for organizations managing internet-exposed Windows infrastructure or systems with elevated privileges. CISA has also added several Microsoft vulnerabilities to the KEV catalog, pushing government agencies and companies to give patching the highest possible priority. The scale of the release also increases the likelihood of triage errors and delays in applying mitigations. In practice, this Patch Tuesday is not just large: it is an event that alters the work queue of security teams globally.

Product
Windows, SharePoint, RDP
Action
priority patching
Impact
immediate risk
From the newsroom
Wave of critical multi-vendor patchesAdvisory
Advisory

Wave of critical multi-vendor patches

In addition to Microsoft’s Patch Tuesday, the week saw numerous security updates for widely used products such as Chrome, Firefox, Adobe, VMware, Zoom, Citrix, Cisco, IBM WebSphere, Splunk, and others.

Read more

Google fixed multiple vulnerabilities in Chrome, including critical and high-severity flaws, while Mozilla fixed two critical bugs already being actively exploited. ACN and other sources reported vulnerabilities in enterprise products such as Cisco RoomOS, IBM WebSphere, Splunk, and Citrix, often with impacts on authentication, access to sensitive information, or arbitrary file write. This kind of patch wave matters because it hits the software layers used as entry points, collaboration channels, or platform components. Organizations that ignore secondary vendors risk leaving surfaces exposed even if they have already covered the main operating systems. The lesson is that remediation must be multi-vendor and coordinated, not limited only to endpoints.

Product
Chrome, Firefox, VMware
Severity
critical, high
Action
update all vendors
Impact
access, files, data
SonicWall SMA 1000 zero-day under attackZero-day
Zero-day

SonicWall SMA 1000 zero-day under attack

SonicWall has confirmed the active exploitation of two zero-day vulnerabilities affecting SMA 1000 appliances, forcing customers to update immediately and look for signs of compromise.

Read more

The flaws include CVE-2026-15409, a critical SSRF that allows a remote unauthenticated attacker to force the device to make requests to arbitrary destinations, and CVE-2026-15410, a post-authentication code injection vulnerability that can lead to command execution on the operating system. The response guidance is severe: if IoCs appear, SonicWall recommends re-imaging hardware appliances or redeploying virtual instances, in addition to resetting passwords and TOTP tokens. The severity is high because SMA 1000 is often used as a remote access point for users and administrators, so a compromise can open the internal network. The campaign is particularly concerning because it combines two complementary vectors, one pre-auth and one post-auth, expanding exploitation possibilities in real-world scenarios. For defenders, it is a short-term patching and hunting priority.

CVE
CVE-2026-15409, 15410
Product
SonicWall SMA 1000
Severity
critical, high
Action
update, re-image, reset
AsyncAPI compromised in the npm supply chainSupply chain
Supply chain

AsyncAPI compromised in the npm supply chain

The AsyncAPI organization was compromised through GitHub Actions and ended up publishing malicious versions of several heavily downloaded npm packages. The infected versions introduced an install-time payload and code capable of stealing credentials, tokens, SSH keys, crypto wallets, and cloud secrets, impacting an ecosystem with more than two million weekly downloads.

Read more

Microsoft described the attack as a CI/CD compromise exploited to distribute malware through trusted software, highlighting how the build chain is a highly powerful entry point. The event is relevant not only for developers using those packages, but for all organizations that treat npm and automated workflows as trusted channels. The combination of supply chain compromise, trust abuse, and payload persistence makes the case a classic example of systemic risk. It is also a strong signal that popular dependencies remain a primary target for attackers.

Product
AsyncAPI npm packages
Action
rotate secrets, audit
Impact
credential theft, malware
OAuth and device code under attackAuthentication
Authentication

OAuth and device code under attack

Account takeover campaigns are evolving from simple password spraying to manipulation of OAuth and device code flows. Proofpoint and Microsoft described how client ID spoofing in Entra ID allows attackers to enumerate accounts or infer authentication status without generating a classic successful sign-in.

Read more

Another research effort showed a “confused deputy” in Google IdP through device code flow hijacking, with the possibility of transferring sessions and reaching invisible takeovers. These vectors are highly important because they bypass part of traditional telemetry and exploit the identity provider’s own logic. In parallel, campaigns such as Forg365 and EvilTokens use device code phishing and session theft to maintain persistent access to Microsoft 365. The result is a threat that no longer depends only on weak passwords, but on how authentication protocols are implemented and logged.

Product
Entra ID, Google IdP
Action
monitor OAuth and flows
Impact
stealth account takeover
Vulnerable UEFI shims undermine Secure BootFirmware
Firmware

Vulnerable UEFI shims undermine Secure Boot

Researchers at ESET and Binarly highlighted that multiple older Microsoft-signed UEFI shims can still be used to bypass Secure Boot. The vulnerabilities affect bootloaders and startup components that, even if revoked or fixed, remain a risk if still present in the boot chain or in recovery images.

Read more

The issue is serious because it allows trust to be compromised at the firmware level, before the operating system can apply security controls. Different sources link the discovery to 11 vulnerable shims and multiple vulnerabilities in U-Boot, with impacts on routers, embedded devices, and critical infrastructure. This broadens the threat beyond PCs: smart cameras, controllers, and network appliances can also become stealth persistence vectors. The consequence is an urgent review of secure boot baselines, revocations, and firmware updates.

Product
UEFI shim, U-Boot
Action
revocations, firmware updates
Impact
Secure Boot bypass
Attacks halt logistics and food productionRansomware
Ransomware

Attacks halt logistics and food production

The attacks against Nichirei in Japan and fairlife, Coca-Cola’s dairy business in the United States, show how cyber risk can quickly turn into production stoppages. Nichirei suffered an attack that halted logistics and shipments, while fairlife suspended part of its US production after a ransomware-type incident affected systems tied to production.

Read more

Both cases highlight that the damage is not only informational: when operational systems are hit, industrial continuity and customer supply are disrupted. In neither case, at least in the initial reports, were there complete public attributions or certain details about the ransomware group. However, the fact that product quality and safety were declared intact while operations stopped shows the typical trade-off of cyber-industrial crises. For companies in manufacturing and the food chain, operational resilience is now a security measure in every sense.

Product
Nichirei, fairlife
Action
containment, continuity
Impact
production and shipment stoppage
Industrialized online fraud in Europe’s crosshairsFraud
Fraud

Industrialized online fraud in Europe’s crosshairs

Multiple police operations in Europe have targeted extremely profitable financial fraud networks, confirming that cybercrime is now a true industry. In the Netherlands and Spain, networks managing call centers, fake financial advisers, and

Read more

fraudulent investment platforms were dismantled, with estimated profits of up to 100 million euros per month or more than 140 million overall. In the United Kingdom, five people were charged over a caller ID spoofing service used in more than one million fraudulent calls. At the same time, threat intel reports show that tutorials on underground forums are increasing and that criminals continue to innovate in phishing, carding, and cash-out. These cases matter because they combine technical infrastructure, social engineering, and financial laundering into a single pipeline. For defenders and law enforcement, the challenge is to block not only access but also monetization.

Product
call centers, spoofing
Action
arrests, seizures
Impact
financial losses
Western sanctions against the Russian cyber ecosystemEnforcement
Enforcement

Western sanctions against the Russian cyber ecosystem

The United States, the European Union, and the United Kingdom have intensified measures against operators and infrastructure linked to Russian cyberespionage, sabotage, and crime-support campaigns.

Read more

Targets include individuals and entities connected to the FSB, bulletproof hosting providers such as Media Land, and VPN or cryptor services used by ransomware affiliates. The sanctions aim to disrupt the logistical support that enables groups such as Scattered Spider, ransomware operators, and state actors to move with greater impunity. These measures show that cyber deterrence is not only about malware and vulnerabilities, but also about the support companies that make the criminal ecosystem sustainable. Their relevance is high because they strike the attack supply chain and not just the final payload. Even if long-term effectiveness is difficult to measure, the coordinated pressure signals a maturing geopolitical response to cybercrime.

Product
hosting, VPN, cryptor
Action
coordinated sanctions
Impact
pressure on infrastructure
ClickFix industrializes phishing and malwarePhishing
Phishing

ClickFix industrializes phishing and malware

ClickFix has emerged as one of the most effective social engineering vectors of the recent period, moving from an occasional trick to an industrial ecosystem used to install malware and steal credentials.

Read more

Campaigns rely on fake pages imitating CAPTCHA, browser updates, or meeting errors and push victims to execute commands in the terminal or the Run window. Microsoft and other researchers observed families such as ACR Stealer and TELEPUZ using ClickFix to steal cookies, tokens, documents, and enterprise credentials. At the same time, various analyses show that attackers are also integrating AI to generate more credible lures and automate phases of the chain. The result is a threat that often evades antivirus and traditional endpoint controls because it uses the user as the execution mechanism. Its relevance is high because the technique works on both Windows and macOS and continues to be reused in different contexts.

Product
terminal, Run window
Action
awareness, script blocking
Impact
malware, account theft
More news